8,404 Tests

Posted by Nancy Wyatt (Penetration Testing), 7 Jan 2013
From the development office: An insight into how a product as sophisticated as Conseal Server is security-ensured before we allow it out.

Any server product naturally needs very careful testing and analysis to ensure, amongst other things, that it is safe for users and secure for the computer it's installed to. With Conseal Server, we arguably have an even greater responsibility than most to ensure complete security, given the sensitivity of the data it protects.

Each release, therefore, goes through a very strenuous series of tests. Our current checklist calls for a vast 8,404 separate tests on each and every release - and this number grows with every release. The checks allows us to guarantee things like user permissions working as they should, devices being available only as permitted by user-supplied access rules and users being correctly "sandboxed" (meaning they cannot overstep their permissions).

We also test against security flaws which commonly affect other server software, such as protection against cross-site request forgery and HTML and SQL injection attacks. It is my job as a penetration tester to attack the server in as many different ways as I can. Again, we have a checklist of attacks we try on every release - by the fun of my work is finding ever-more creative ways of attacking!

As a final layer of security testing, we analyse all the differences in code between releases. This can also be helpful in formulating attacks against the server - knowing how it's written can suggest further attacks to try.

If you are looking to start pen-testing a server, whether your own code or a third party one you've just installed (or even if you want to confirm our work on Conseal Server!) then here is a very useful guide to some of the most common and dangerous flaws.

0 comments:

Post a Comment